[squid-users] squid-users Digest, Vol 27, Issue 4

Amos Jeffries squid3 at treenet.co.nz
Thu Nov 3 02:18:45 UTC 2016


On 3/11/2016 1:06 a.m., Patrick Flaherty wrote:
> From: Amos Jeffries:
> 
> On 2/11/2016 12:55 p.m., vze2k3sa wrote:
>> Hi,
>>
>> I have a question around have Squid which is configured to handle all 
>> company traffic to and from the web. When connecting to an SSL 
>> website, HTTP Connect is used. Can Squid be configured so all the 
>> inbound SSL traffic is SSL decrypted and send back to clients as clear text http traffic?
> 
> 
>> The CONNECT message *is* clear-text HTTP. So already it is doing what you asked. But I think what you want is not want you are asking for.
> 
>> Squid supports receiving requests for https:// URLs from clients on regular TCP connections and will perform the HTTPS part for them.
> 
>> Squid also supports clients using TLS to connect to the proxy, then to pass it requests for https:// URLs. There is a sad lack of clients that support doing that though.
> 
> 
>> If the client is performing TLS to the origin server, then no. You cannot reply with plain-text HTTP to them. Your only choice in that case is the SSL-Bump feature.
> 
>> Amos
> 
> 
> Thanks Amos for the reply. 
> 
> What I'm looking for is to send all client requests http and get replies back as http where I don't care if the internet site requires SSL or not. 
> 

That is not something you (or Squid) have any control over. The client
decides how it is going to send each request. The reply must be sent
back via the same connection.

To get what you want the client must send https:// URLs to Squid in
plain-text connections. Violating the basic requirement that HTTPS only
ever travel over secure connections.

BUT, of it does so Squid accepts the traffic anyhow.

Amos



More information about the squid-users mailing list